Hello fanthom,
All commands below must be run as root of course.
If you're not root, then do this (the password should be:
toor)
Code: Select all
head -n 10 /etc/rc.d/rc.FireWall
#!/bin/bash
#
# usage: rc.firewall start|stop|status
#
# Simple firewall disallowing all incomming connections
# but allowing all traffic on localhost (lo device)
# and allowing all outgoing traffic for $ALLOWED_PORTS
# (you can set the variable below)
#
# Author: Tomas M. <http://slax.linux-live.org/>
Let show line numbers :
#1!/bin/bash
#
# usage: rc.firewall start|stop|status
#
#5 Simple firewall disallowing all incomming connections
# but allowing all traffic on localhost (lo device)
#7 and allowing all outgoing traffic for $ALLOWED_PORTS
# (you can set the variable below)
#
# Author: Tomas M. <
http://slax.linux-live.org/>
Line 5 means :
Line 7 means :
disallowing
all outgoing traffic
EXCEPT those in $ALLOWED_PORTS
Lets see the
original code how it runs :
First do:
This code...
... shows this :
Code: Select all
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
Then this code...
Code: Select all
# /etc/rc.d/rc.FireWall start
# /etc/rc.d/rc.FireWall status
... shows this :
Code: Select all
Chain INPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- lo any anywhere anywhere
## ... some drops and accepts :-)
Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 LOG_DROP all -- any any anywhere anywhere
Chain OUTPUT (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination
0 0 ACCEPT all -- any any anywhere anywhere
## ... some drops and accepts :-)
Explain me
why we can see that INPUT is in the state of ACCEPT when your goal is
disallow INPUT ?
If everything is ACCEPT then no firewall is needed, because nothing is stopped.
Is it what everyone wants ?
Even, Microsoft do recommend that the outgoing connections should be allowed by correct rules...
INPUT must be in the state of DROP, and that's it, at least !
Make the change as I said in my first post and then do this:
Code: Select all
# /etc/rc.d/rc.FireWall start
# /etc/rc.d/rc.FireWall status
which shows this:
Code: Select all
Chain INPUT (policy DROP 0 packets, 0 bytes)
## ... some drops and accepts :-)
Chain FORWARD (policy DROP 0 packets, 0 bytes)
## ... some drops and accepts :-)
Chain OUTPUT (policy DROP 0 packets, 0 bytes)
## ... some drops and accepts :-)
This is how it should be shown: everything is DROP
So what is wrong in my discuss ?
Now, lets discuss
your point of view, which is not the original code point of view.
as all connections would be blocked and this is not what we want.
All connections that could be blocked should be blocked: this is "
best security practice".
And $ALLOWED_PORTS
are allowed...
This is the behavior we
want.
Porteus is not used as a firewall but as a desktop distro.
In another word we can block everything but allowed connections.
If some guys would like to use it as a Firewall/router, then FORWARD should be set to ACCEPT.
However, someone who would like to use it as a firewall must learn how to use firewall.
In my point of view, Porteus is not a good choice for that.
I like Slackware so I tried Porteus...
You don't know everything because you are born to learn ...